Usher: a comprehensive enterprise security guide · PDF fileUSHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE ... A COMPREHENSIVE ENTERPRISE SECURITY GUIDE ... Locally on the mobile

Usher: a comprehensive

enterprise security guide

USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE

TABLE OF CONTENTS

Introduction 5

Logical access controls 6

Physical access controls 6

Identity authentication solutions 7

Chapter 1: Components of an enterprise security deployment with Usher 8

Mobile credentials (Usher Security) 8

Usher badge 9

Time-limited Usher codes 9

Validation panels 11

Digital keys for physical access 13

Sight code panel (only available in SDK) 13

Chapter 2: Badge security and configuration 14

256-bit AES encryption of user attributes 14

Integration with Touch ID 15

Offline capabilities 15

Add a badge from deep link in email 15

Badge information 16

Upload profile image 17

Remove a badge locally 17

Badge recovery 18

Image caching 18

Encrypted access tokens for authentication 19

Offline Usher code generation 19

Encrypted X.509 PKI certificates 20

Out-of-band identity transmission 20

Encrypted channel for data transmission 21

Chapter 3: Network management 22

Network creation 23

User management 24

Usher agent for Active Directory 24

Network administrators 25

Badge management and design 26

Chapter 4: Authentication and access 27

Logical access and methods 28

Physical access and methods 31

Behavioral-based conditions/fencing 34

Extension to Apple Watch 35


Chapter 5: Workforce productivity with Usher Professional 36

Discovery views 37

User profiles 38

Search capabilities and saved groups 39

Chapter 6: Intelligence and reporting with Usher Analytics 40

Interface 41

Transaction logs 43

Pre-built dashboards 44

Chapter 7: Usher server 46

Server architecture 47

Server components 47

Common library and tools 47

Server deployment 48

Deployment architectures 48

Secure Cloud 48

Certifications and controls 48

FIDO certification 48

Systems 49

Current server environment (multi-tenant) 49

Operations 50

Technology 50

Monitoring 50

Maintenance 50

Security operations 51

Vulnerability management 51

Event logging and auditing 52

Chapter 8: Custom implementation (SDKs) 53

Mobile SDK workflows 54

Usher as a mobile app authentication mechanism 55

Usher as an enterprise SSO provider 56

Usher as a step-up authorization provider 56

Usher as a peer-to-peer authentication provider 57

Mobile SDK 57

Server-side SDK 57

Platform RESTful API 58

Physical Access Control System API 58

Chapter 9: Deployment scenarios 59

Higher education 60

Federal government 62

International airport 63

Financial services 64


Chapter 10: System requirements 66

Up-to-date documentation links 67

Recommended production configuration 67

Development and pilot configuration 68

Usher Professional and Usher Analytics 68

Usher physical gateways 69

Usher evaluation edition license keys 69

IntroductionThe threat of industrial espionage today is all too real; it seems that

every day another company’s confidential information is hacked—and

the cost of these security breaches is escalating at an alarming rate.

According to a study conducted by the Ponemon Institute, the average

cost of an information security breach to a U.S. company is $3.5 million;

this figure doesn’t even include the mega-corporations who were most

recently the victim of an attack. What the Ponemon figure also doesn’t

represent is the post-attack cost to a company’s reputation. We all know

public trust is a key requirement for revenue and business continuity.

Reputation can be a company’s biggest value driver, or its worst enemy.

For one highly visible retailer, the latter came true in 2014. This name-

brand retailer estimated that in Q2 2014, the costs associated with their

security breach exceeded $148 million. Forrester Research Analyst John

Kindervag suggests that over time, those costs could eclipse $1 billion.

The moral of the story: your information is too valuable to be protected

by traditional and outdated security measures. As a result of these

trends, businesses of all types are making 2015 the year of information

security, or InfoSec. MicroStrategy has identified three crucial types

of investments in the field of identity and access management (IAM)

and advanced authentication (AA) and built all three of them into a

single security offering, Usher. This Usher product guide addresses

industry issues as well as capabilities, security details, and use cases.

usher.com 6

USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Introduction

Investment 1: Logical access controls

Logical access controls ensure only appropriately credentialed employees have access to your

workstations, applications, and information networks. Unfortunately, at many companies,

employees across the organization have unhindered access— typically “resolved” by controlling

access via passwords. Here’s an alarming statistic: 76% of all cybersecurity breaches are caused

by weak or compromised passwords. Equally striking, it costs your firm anywhere from $51–$147

every time someone needs a password reset. This cost is driven by the number of calls your help

desk fields exclusively for password resets (Fact: 30% of all help desk calls are a result of forgotten

passwords). Standard logical access controls like passwords are surprisingly expensive to your

firm–even without a breach. By relying on passwords, your organization is leaving itself vulnerable

to even greater costs, as passwords are easily hacked by internal and external threats alike. It is

critically important for your organization to secure its sensitive information using effective logical

access controls. Essentially any access control utility that relies on simple data entry—including

passwords, PINs, and knowledge-based questions—is not enough. Security measures like these

cannot account for the person inputting the data. Much like physical security platforms, logical

access platforms must leverage the person’s true, non-replicable identity.

Investment 2: Physical access controls

Most companies utilize various forms of physical locks and keys for access control; these solutions

have obvious weaknesses. These weaknesses do not, however, stem from the solutions themselves.

Rather, they are the result of the user. Studies have shown that the top threat to an organization’s

data is its own employees. In fact, it has been reported that 69% of serious organizational data leaks

are caused by employee activities—both malicious and non-malicious in nature. With activities of

malicious intent, these leaks are often a result of employees physically accessing server rooms and

devices that contain sensitive information. In these situations, physical access controls are either

abused or, even worse, non-existent.

usher.com 7

USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE | Introduction

The most infamous information security hack of 2014 is a poignant example of failed physical

access controls. According to the hacker group responsible, they were able to obtain their victim’s

private information by leveraging employees on the inside with physical access to the target

network. If this is true, it implies employees physically injected a virus into the network that

enabled the hackers to access their victim’s data remotely. Additionally, if the hacker group did in

fact leverage employees, then it will be very difficult for the victim to recover fully. As CSO Online

points out, “physical security related breaches…are hard to contain and recover from because

evidence can be tampered with or simply removed.” What makes this story even more worrisome

is that the employees were said to have “similar interests” to the hacker group. No organization

wants to believe their employees are capable of being adversarial. However, it is nearly impossible

for an organization to prevent the possibility of a bad egg—there’s always the risk of a disloyal or

embittered employee attempting an information security breach. When this happens, it is critically

important that your company has suitable physical access controls to prevent a breach.

So what can your organization do to prevent a physical security-related attack? Most importantly,

consider how your employees currently access your physical computer network environment. Is it

with the turn of a key? Is it an electronic key fob? Is there an actual guard standing at the door? All

of these methods lend themselves to human error. Physical keys or key fobs can be lost or stolen. A

guard can mistakenly grant access to an unauthorized person. Every organization needs a physical

access control solution that authenticates individuals based not only on something they have

(such as a key, key fob, or physical badge), but also on something they know (like passcodes and

PINs), and something they are (biometrics). From the user’s standpoint, the access tool needs to be

difficult to lose, steal, and replace.

Investment 3: Identity authentication solutions

As greater emphasis is placed on improving physical and logical access controls, it becomes

increasingly important to manage these controls centrally. Information security is simply too

important to be directed by individual departments. Distributed ownership leads to unclear

accountability, making it difficult to identify security vulnerabilities and breaches without a

single unified platform. This trend toward centralized administration is called converged access

management (CAM). CAM is the ideal that every organization must strive to achieve. However, CAM

is all but impossible to achieve when employees are forced to use different forms of identification

for different types of authentication purposes. If employees use a physical badge to gain physical

access and a password to gain logical access, it is highly likely that separate administrators

manage each type of access. Organizations in this position sacrifice both efficiency and security.

To guarantee the best protection, organizations must adopt a single, comprehensive identity

authentication solution. For employees, this means a single authentication tool that is simple to

use. For administrators, this means an authentication platform that is difficult to defeat and doesn’t

require a specialized skillset to manage. And crucially, the identity authentication solution must

provide comprehensive threat monitoring and analysis.

usher.com 8

| IntroductionUSHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE

Chapter 1:Components of an enterprise security deployment with Usher

Mobile credentials (Usher Security)

Mobile security badges allow enterprises to replace outdated methods of authentication such

as passwords, ID cards, keys, and security tokens, with a mobile app. Mobile security badges are

a more secure solution because they offer multi-factor authentication, dynamically changing

codes, encryption, telemetry, geo-fence controls, time-fence controls, and biometrics, all

running on a single instance on mobile devices.

Employee Badge

Ying Gayle Le

0621

Marketing Manager

BADGE KEYS QR CODE READER

SETTINGS

Swipe left and right for additional badges

Swipe up for additional profile information

usher.com 9

| Chapter 1USHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE

Usher badge

The badge is the center of the Usher user experience. Badges are uniquely branded for a given

enterprise and present publicly viewable information like name, title, and a photo. Users can have

multiple badges in the same app, and simply swipe left or right to switch between them.

Locally on the mobile phone, the Usher badge stores nothing more than basic user information

(such as name, title, and photo), an access token that authenticates the user, and a X.509 PKI

certificate that identifies the smartphone to the server as an Usher-enabled device.

Only a simple, descriptive part of the identity is stored on the phone

A photo of the user for visual identification

An X.509 PKI certificate ensures that only Usher identities are authenticated

An access token for authenticationof the user

User attributes

Usher badge data

Picture

X.509 PKI certificate

Access token

The Usher mobile app stores data on the smartphone in an encrypted format.

Time-limited Usher codes

Usher acts as an extension of a user’s identity and communicates that identity to a wide range of

devices and systems within the enterprise, including watches, phones, tablets, computers, systems,

and doorways. It does so using three different methods:

1. Usher codes: human-readable time codes of 4 to 8 digits that expire every 60 seconds or other

configurable time period.

2. QR codes: machine-readable, dynamic QR codes for scanning that expire every 60 seconds.

3. Bluetooth signals: Bluetooth low energy (BLE) signals that can transmit and detect Usher users in

close proximity using very low power consumption.

usher.com 10


Prior to Usher, personal identity validation was limited to two imperfect systems:

1. The low-cost, low-security system that uses laminated pictures on official

looking cards, which are easily forged, stolen, or counterfeited.

2. The high-cost, higher-security solution that provides electronic validation using

dedicated biometric readers or smartcards with card readers or sensors.

With Usher, users enter time-limited Usher codes into their Usher badge’s user validation panel to

verify the identity of other users. After the pre-set time period expires, each code is refreshed and

replaced with a newly generated code. The previous code is rendered invalid and can no longer

be used. All Usher codes are linked to a specific device, enabling the server to precisely identify

the device being used. This architectural design ensures that the security risk associated with

stolen Usher codes is minimal, preventing replay attacks. Given the time sensitivity, these codes

are designed to withstand brute force attacks with the server throttling guessing attempts. In

short, the attacker only has the time period for which the Usher code is valid to try each and every

combination, making it highly improbable for the in-use Usher code to be guessed.

60s 120s 180sNew Usher code generated New Usher code generated

9 8 6 7Old Usher code is expired

6 2 3 1Old Usher code is expired

9 8 6 7 6 2 3 1 5 5 1 2

One-time, time-limited Usher codes act as short-lived, temporary identifiers of the client.

usher.com 11


Validation panel

The QR validation panel, which is the third tab in the bottom navigation pane in the Usher Security

app, is a built-in QR code scanner. This panel lets users capture Usher QR codes, allowing them to

open entryways, unlock workstations, log in to applications, and authorize transactions (an SDK-

only functionality). For low-light situations, there is a built-in flashlight button at the top-left corner.

Validation

Scan QR code for access

QR Code

Usher Code

User Validation

You can validate users by their Usher Code or by scanning their QR code.

0621

Email [email protected]

Ying Gayle Le

Marketing Manager

Issue Date Sep 04, 2015

Badge Employee Badge

Organization Acme Corp.

The User Validation panel (accessed by tapping on a badge to bring up the Badge Information

view, and then selecting “User Validation”) empowers users to verify the identities of other Usher

users, both remotely and in-person.

usher.com 12


When remote, any Usher user can ask another Usher user via phone or chat for their 4- or 8-digit

Usher code, then type it into the User Validation panel and press ‘Enter.’ When in-person, navigate to

the QR code tab and scan the other user’s personal QR code from their badge information view.

Either workflow should return the same result:

You can then tap on the envelope in the top-right-hand corner to conveniently add the validated

user to your phone’s contact list.

usher.com 13


Digital keys for physical access

Plastic ID cards used for physical access are easily

lost, stolen, or counterfeited—problems that can

go days without being discovered. Additionally,

physical ID cards grant entry based on

possession, without regard to the cardholder’s

identity. By interoperating with the world’s

most prevalent physical access systems (Lenel,

Honeywell, Paxton, Datawatch, S2 Security),

physical entry points can be controlled by

Usher using encrypted digital keys attached to a

mobile device. Users can rely on the smartphone

or Apple Watch to securely access virtually every

entryway with digital keys that can be remotely

distributed and revoked in an instant.

Favorite Keys All

HQ P3 Garage

HQ P3 Lane 2 Entry

HQ P3 Lane 2 Exit

HQ P3 Lane 3 Exit

Innovation Lab

HQ 14 Flr Elevator S

L3 exit L2 exit L2 enter L1 enter

Sight code panel (only available in SDK)

Sight codes are animated, time-limited fractal

images that are impossible to counterfeit and

provide instant visual indication that people

are members of the same Usher network.

They are revealed by swiping left on an

Usher badge, and are perfect for quick visual

identification of a group of people (i.e. employee

identification in emergency response situation,

quick identification of event attendees). This

has applications for any physical space that

hosts multiple events concurrently: badges for

attendees of each event will display different

sight codes.

usher.com 14


Chapter 2:Badge security and configuration

256-bit AES encryption of user attributes

Only basic identity information, such as a user’s name, title, company, and photo, is stored

locally on the client. All user attributes are encrypted with 256-bit AES encryption and stored

in the phone’s encrypted storage area, ensuring that the user’s data cannot be compromised.

256-bit AESencryption

AB123NOSJCV NI39UR84HNJILWSNHIOE8949U4JJIOEWNFOWEU0490R094JRFMEFI0QI430UR9U043JFIOEJFI0EJR9034NJKJUIJAOIENOFEUFNAU9322I02I92UE93IUJIFIOSDHVIOSFD0V9KGSDFSDJFISVNSODV0SD9FI1VS0DUV0SUJCSIDF0VUSEWI2928484721901JAOIENOF

Basic user information is stored in a n encrypted format on the smartphone.

usher.com 15


Integration with Touch ID

Mobile hardware and software are becoming sophisticated enough so that everyone with a

smartphone can have a powerful, state-of-the-art biometric reader in their pockets. This added

layer of security comes at no added cost to the enterprise, as no investment in additional biometric

verification hardware is needed.

With Touch ID, the device operating system (OS) determines the procedure for capturing a

fingerprint in order to perform feature extraction and verification. A dialog that requests the user

to present their fingerprint is displayed. This dialog disappears upon successful acquisition of the

fingerprint image by the device, followed by a successful verification. The same dialog is displayed

if the verification is unsuccessful for up to three consecutive tries.

The fingerprint feature extraction is controlled and performed by the mobile OS; applications

such as Usher have no access to the extraction process or to the template. Usher does not have

fingerprint feature extraction explicitly in its workflow; instead, the presence of user enrollment is

checked and verification functionality is disabled if the user has not enrolled their fingerprint.

Offline capabilities

Usher offers several options for situations where network connectivity is not available.

1. Physical access: you can have a Bluetooth reader at the door, which is connected to the

network (hard-wired or Wi-Fi), and a disconnected Usher mobile client can unlock the door.

2. Logical access: a disconnected Usher mobile client can unlock a Mac workstation with Bluetooth.

3. Peer-to-peer validation: works when the validated user is offline, but the validator must be online.

Add a badge from deep link in email

If a user has just installed the Usher app and has not yet added a badge, there will be a welcome

screen displayed to remind this user to check his email and see if there’s an invitation to add a badge.

After the administrator creates an Usher network and invites the corresponding users, the end user

being invited (or the administrator user himself ) will receive an email. If the user opens the mail on

her phone and clicks the activation link in the mail, the badge will be automatically added in the

Usher Security app (the mobile client).

usher.com 16


If the Usher mobile client is not detected on the phone, the activation link will redirect the user to the

Usher Security app page on Apple Store or Google Play store to allow the end user to download and

install it. After that, the user can click the activation link in the email. The badge the end user has been

invited to add will be loaded automatically in the Usher Security app and displayed to the end user.

If this badge has already been added in the Usher Security app in the past, a message saying

“%Badge Name% badge has already been added previously” will be displayed.

Badge information

A “badge information” section is located in the “settings” of the Usher Security app. All Badges added

in the Usher Security app will be listed in this section. Clicking a badge listed here will display all

information related to it, which includes:

1. Organization

2. Badge

3. Issue date

4. Email

5. Time-limited Usher code (also found

on the main view of the badge)

6. Time-limited QR code (scannable for

the purposes of verifying the legitimacy

of this badge)

QR Code

Usher Code

User Validation


0621

Email [email protected]

Ying Gayle Le

Marketing Manager

Issue Date Sep 04, 2015

Badge Employee Badge

Organization Acme Corp.

usher.com 17


Upload profile image

If the administrator does not add an image for a user in his profile when they create a badge using

Network Manager, no image will be shown in the user’s badge. This user may be able to upload or

change her picture from the badge by tapping on the image placeholder in the badge information

view to activate the camera and photo library. Any new image captured or selected will be synced

and stored on the server along with the user’s other information.

Remove a badge locally

When in the badge Information view (accessed by tapping on any badge) scrolling down reveals

a button that allows a user to remove the badge from the app altogether. A pop-up dialog will

prompt the user to confirm the badge deletion. If this badge is the only badge in the Usher

Security app, deleting it will redirect the user to the welcome screen.

To remove multiple badges at once, navigate to the settings tab at the bottom of the app, and then

select “manage badges.”

QR Code

Usher Code

Remove Badge


0621

Ying Gayle Le

Marketing Manager

Passcode Not Required

Touch ID Not Required

Settings

SERVER

YOUR BADGES

CONTACT US

Badge Recovery

Usher Server9 badges

App Passcode

Send Feedback

Report a Problem

Manage Badges

usher.com 18


Badge recovery

Badge recovery allows users to recover badges for the Usher Security app through the settings

screen of the application when at least one badge has been added. Otherwise, users will need to

enter an email address on the application landing page at first launch. The user will receive an email

with a deep link to restore all of the badges associated with his or her email address.

Image caching

In order to improve performance and reduce time/network traffic cost for users when switching

between badges or validating other users in Usher, Usher offers an image cache policy.

Each time a user validates another users’ badge in the validation panel or refreshes all his badges in

the Usher Security app, the client will check the image cache for each of these badges.

1. If there is no image being cached, the client will fetch the image from server and cache it.

2. If there is an image being cached, the client will compare the timestamp

of this badge image with the server to see if it is the latest one.

3. If the image being cached is not the latest one, the client will

fetch the latest image from the server and update it.

4. If the image being cached is the latest one, the client will display the cached image.

usher.com 19


Encrypted access tokens for authentication

Usher employs access tokens instead of usernames and passwords, eliminating the need to send user

credentials over Wi-Fi, 3G or 4G networks for user authentication. This ensures that credentials cannot

be intercepted or phished during data transmission. Access tokens are stored in an encrypted format

on the smartphone and are only valid for a specific, but configurable, time period. Upon expiry, Usher

users must re-authenticate themselves to Usher and obtain a new token.



Offline Usher code generation

All Usher codes used for identification can be generated on the client, including the QR code,

and numeric Usher code. For numeric Usher code generation, the Usher server sends an initial

key to the Usher-enabled device, which stores this key on the phone in an encrypted format. The

Usher-enabled device then uses this key to generate time-limited numeric codes locally on the

smartphone. The Usher architecture is designed such that the initial key remains valid only for a

specific, configurable time period. Before expiry, the Usher server issues a new key to the device

for generating a new set of codes. The time-limited codes, which expire after a pre-set time limit,

not only are designed to withstand brute force attacks but also make it highly improbable for the

code to be guessed. In addition, the Usher server will throttle any attempts to guess Usher codes,

thereby preventing a brute force attack.

2165 USHER CODE

QR CODE

usher.com 20


Encrypted X.509 PKI certificates

Usher uses X.509 PKI client certificates to help secure communications between the Usher mobile

app and the Usher server. The Usher server issues a unique X.509 PKI certificate to each Usher-

enabled device when the Usher mobile app is launched for the first time on that device. This

certificate is generated to the X.509 PKI standard, and, upon issue, is stored in the mobile phone’s

encrypted storage area. A mobile phone identifies itself as an Usher-enabled device to the Usher

server by including its unique X.509 PKI certificate in every data transmission. This in turn prevents

rogue devices from impersonating an Usher device and establishing fraudulent communication

with the Usher server to steal identity information.



Out-of-band identity transmission

All identity information is transmitted out-of-band from the Usher server to the Usher mobile app.

This ensures that no two Usher clients directly share identity data and that the Usher server always

validates the identity independently. This includes identity validation through QR and numeric

Usher codes. This approach also ensures that malicious apps can never steal identity data from the

smartphone client. Additionally, since a malicious app cannot present a valid Usher-issued X.509 PKI

certificate, the Usher server will immediately reject any communication attempts from it, ensuring

that identities always remain secure.

usher.com 21


Usher server

Generate time-limitedpersonal code

Submit personal code

Usher mobile client Other Usher mobile client

Receive identityinformation

Offer personal code

Usher code

QR code

1

3 4

2

1:23

Usher code

1:23

9 8 6 79 8 6 7

Encrypted channel for data transmission

The Usher server and the underlying identity management solutions use the TLS protocol with 256-

bit AES cipher to send identity verification requests and verified identities to one another. These

requests include the access token for user authentication, the X.509 PKI certificate to identify the

device, and an Usher code; and the transmission is always encrypted. The Usher server matches the

client’s X.509 PKI certificate with a copy maintained in the Usher server database and, upon positive

identification, sends the verified identity back to the client. This process ensures that only known

Usher-enabled devices can send identity requests to Usher and receive identity information from it.

Additionally, all identity requests are processed exclusively through the Usher server, which, in turn,

accesses identity information through Usher connectors.

Certificate pinning: To ensure that the client is talking only to known servers, all trusted servers’

certificates are pinned in the application to prevent a man-in-the-middle attack that may use

fraudulent certificates or malicious proxy servers. The usage of certificate pinning also prevents

cyber thieves from deploying a fraudulent server to masquerade as an Usher server.

3

Usher server

Client public key

CSR infromation signed with client private key

Certificate database

2 Server generates a certificate and maintains an encrypted copy

1 At initial launch, the client sends “Certificate Signing Request”

Usher client receives the certificate

4 Usher client encrypts the certificate on the client side

256-bitAES

usher.com 22


Chapter 3:

Network management

Security and IT personnel today are required to handle all information security-

related issues, including replacing ID badges, resetting passwords, and managing

databases with employee and customer information. The ideal security solution

includes a management tool that allows IT personnel to manage all aspects of

security systems – including deploying mobile security badges, monitoring logical

and physical access, and understanding all enterprise workforce activity.

usher.com 23


Network creation

An Usher network is the group of users in your organization who can use the Usher app on their

smartphone to validate their identity, log into applications, gain access to secure physical resources,

and so on. Network creation is the process of developing and naming a specific Usher network,

and is accessed at the Network Manager web portal. For both Secure Cloud and on-premise

deployments, Network Manager will reside at a URL unique to that specific implementation, which

you can get from your Usher account team. Network Manager is the web interface to the Usher

Server that allows Usher Networks to be created and managed. The Network Manager is a PHP

application that runs under Apache. Through it, Usher administrators can create an Usher network,

configure gateways (to web applications, physical access systems and work stations), and then

distribute or revoke access to gateways among their users, quickly and simply.

Upon visiting the network manager site, administrators set up a network by following these steps:

1. Enter badge name

2. Enter network name

3. Edit badge design

4. Create an administrator account by

submitting name, title, and photo (optional)

5. Enter valid email address: Usher sends an

email message with instructions to install

the Usher client and acquire the badge

6. Log into network manager with the

newly acquired Usher badge (by

scanning the QR code on the screen)

usher.com 24


User management

User management allows administrators to set up a user population for their Usher network.

Administrators do so using one of the following methods:

• Manual user entry

• User import from supported applications

• User import from CSV file

• Identity Management (IDM) system synchronization

• Active Directory

• OpenLDAP

Please note that a combination of manual entry and IDM synchronization is not supported at this

point in time.

Usher agent for Active Directory

Many organizations use Active Directory as a central repository for user management. With the

Usher agent, an administrator can now synchronize their Usher user base with Active Directory

in a matter of minutes. All of this is done through a lightweight agent running as a service on

a Windows machine. It connects to Active Directory and synchronizes the user groups, or the

organizational units one wishes to incorporate into their Usher deployment.

In this deployment scenario, the Usher Active Directory agent is installed on customer premises.

The Usher agent connects to the customer’s active directory via LDAPS. Communication between

the Usher security server and the Usher agent is secured with TLS. The two-way communication

channel is used for authentication purposes, as well as to update settings (i.e. import more user

groups or synchronize more LDAP fields). The one-way communication channel is dedicated to

send updates from Active Directory to the Usher network to keep user information up to date

(every 20 seconds).

usher.com 25


This architecture can be deployed over a proxy or a firewall – and as the communication is

outbound, it doesn’t require any change in firewall settings. The AD credentials are encrypted on

the Usher agent, and the decryption key is stored on the Usher server

The tool is entirely self-service, and has the benefit of letting changes performed on your user

information in Active Directory be reflected in the Usher user base in seconds – one can even

synchronize users’ pictures between Active Directory and Usher. Disabled users in Active Directory

will be removed from the Usher user base in seconds as well.

Network administrators

Network manager allows administrators to:

• Add, delete, and manage other Usher network users and administrators

• View the status of other administrators – “active” or “inactive”

usher.com 26


Badge management and design

Badge management includes various functions to change badge functionality:

Design allows an administrator to modify badges:

• Color (gradient option available)

• Patterns – choose from eight provided background patterns

• Background image – upload PNG or JPG files

• Icon – upload PNG or JPG files

Properties allows an administrator to:

• Edit badge name

• Enable Usher code broadcasting to access high-security door readers

• Toggle location tracking on or off

• Set location or time-based restrictions for badge usage

usher.com 27


Chapter 4:Authentication and access control options

Today’s methods of authentication and access are both wide-ranging and outdated –

because enterprises continue to rely on twentieth-century thinking to secure a digital

world. The solution needed today includes authentication and access methods that

replace the outdated methods (passwords, badges, ID cards, keys, security tokens), and

can connect to all enterprise assets, including applications, domains, data and processes,

with physical systems: watches, phones, tablets, computers, doors, facilities, vehicles,

safes, and gates. Access to these resources and spaces may be granted using one of

several methods and customization options with the Usher Security app. These fall under

the categories of logical access, physical access, and behavioral-based conditions.

usher.com 28


Logical access and methods

Web applications refer to resources that users access through a browser (web browser or mobile

browser). These can be cloud applications or enterprise-grade, internally hosted applications. While

Usher can be configured to provide authentication into any SAML 2.0-enabled web application

or any VPN solution that supports FreeRadius, the Usher gateway configuration interface provides

customized templates for several high-profile, prolific applications. These include, but are not

limited to:

• Amazon AWS

• Salesforce.com

• MicroStrategy Web

• Google Apps

• Github

• Rally

• Wordpress

• Dropbox

• Zendesk

• Flowdock

• Box

• Asana

• New Relic

• Active Directory

Federation Services

• Slack

Usher’s VPN functionality is implemented as a module that sits on a RADIUS server, one of the

most popular VPN servers in the market. As a result, Usher’s VPN solution is designed to work with

vendors that support the RADIUS protocol, like Cisco, Juniper, Citrix, and F5. In this way, Usher adds

an additional layer of security for remote system access that is convenient to the end user.

• Join.me

• Yammer

• GoToMeeting

• RemedyForce

• Cisco VPN

• Juniper VPN

• Citrix VPN

usher.com 29


Method 1: QR code scan

When accessing a shared logical resource, such as an open workstation, the resource’s front-end

Usher user interface is assigned a time-limited QR code by the Usher server. A user then scans the

QR code from the validation panel of her Usher client, telling the Usher server who she is, as well

as the gateway identifier associated with the QR code. The Usher server confirms the validity of

the user and then passes the corresponding parameters to the web application using the SAML

protocol in order to request access to the resource on behalf of the user.

Method 2: pairing (push notifications)

When performing a QR code scan on any SAML-enabled web application, the user can request

that the system remember the specific user on this particular machine. This is known as pairing

the client to the gateway. The Usher server will remember the user’s device token the next time

the user goes to access the resource. The site will display a button to log in with Usher. Clicking

on the button will trigger the Usher server to send a push notification to that user’s Usher client.

The user can simply confirm the notification to log in. This feature works on Apple Watches with

the Usher WatchKit app on them, as well as Android Watches, for which there is no native Usher

application currently in production. As long as the phone is locked and configured to send its

push notifications to an Apple/Android watch that is paired with it, the user will receive a push

notification on his watch that allows one-tap access to a paired, logical resource gated by Usher.

usher.com 30


Method 3: mobile single sign-On (app switching)

The Usher Security application supports mobile SSO workflows, which lets users log into third-party

mobile applications running on the same device. Third-party mobile apps may implement the

Mobile SDK to call the Usher Security app with a request to verify the user’s identity and obtain an

access token. The communication between the Usher Security app and third-party apps is achieved

via deep-linking between the applications.

Method 4: one-time-passwords (Usher codes)

On the main screen of each badge, the small white bar under the time-limited Usher code will

degrade over time to let a user know that it is about to expire. Aside from entering the time-limited

Usher codes into their client to validate the identities of other users, a user can use her Usher

code to log into organizational VPNs in much the same way as one-time-passwords generated by

security tokens do. Usher’s VPN authentication inherits all security settings you set for your network,

allowing you to customize the security based on your needs

usher.com 31


Physical access and methods

For physical access, Usher has Usher Physical Access (PACs) Web Services (specialized for specific Physical Access systems such as Honeywell EBI, Lenel OnGuard, and Tyco C-Cure) that broker calls between the Usher Server and the Physical Access System’s API layer. Some web services run on Windows Server under IIS (Lenel, Honeywell), while others run under Tomcat containers (S2). A “Standard PACS Adapter” also exists which allows for system integrators to write their own Web Services for PACS systems that are not supported by Usher out of the box.

Method 1: Digital keys

The key panel lets users tap on a key to unlock doors, elevators, and gateways. Virtually any entryway that is controlled by a PACS can be unlocked using Usher keys. Usher offers a list of all entryways a person has authorization to unlock and lets him organize his favorite keys on the key ring panel. The favorites key ring is also accessible in the Usher app on the Apple Watch.

By default, the key panel shows your favorite keys. Tap on the ‘All’ button at the top-right of the screen to bring up all the keys you have access to, organized by badge. Here, you can then add and remove your favorite keys. These keys can be accessed by providing up to three factors of authentication—having your phone with you, knowing your phone’s passcode, and presenting your fingerprint (with iOS Touch ID). Most importantly, administrators can monitor and record who

accesses each entry point at any given time—providing unparalleled insight into potential threats.

usher.com 32


Method 2: QR scans

Another way to unlock doors is by simply scanning the Usher QR code affixed to a door. An

organization can place an Usher QR code at each entryway. A user then scans the Usher stamp

with his validation panel, and Usher communicates with the PACS to unlock the door to which the

Usher stamp is affixed. With the key panel and QR scans, Usher bypasses legacy door readers and

communicates directly with the PACS, so enterprises can use Usher without purchasing new door

reader hardware.

Method 3: Bluetooth readers

For hands-free door entry, Usher uses Bluetooth to automatically unlock the door without the

user needing to remove the smartphone from a pocket or purse. Using the same information

advertised for peer-to-peer user discovery, a door reader can obtain the badge ID via Bluetooth and

then make a request to the PACS, which unlocks the door if the user is both within a customizable

physical range and is authorized to enter. With Bluetooth low energy (BLE), Usher minimizes battery

consumption, as the user does not need to have the Usher Security app running in the foreground.

Whether access was granted or denied is displayed on the door reader.

usher.com 33


Method 4: iBeacons

Another method of context-based physical access is the Usher Nearby widget–in the Today view of

iPhone’s drop-down notification center, which is accessible from the lock screen. iBeacons, which

are relatively inexpensive, are deployed to powered sources near physical entryways, and set to

constantly broadcast its presence via Bluetooth. When an Usher user is within range of the iBeacon

and opens her Usher Nearby widget, the client on the phone receives the number the iBeacon is

transmitting. It then maps the iBeacon to its associated key, and calls the Usher server for access to

this resource. In this way, just one button in the widget can take on the identity of the key for any

specific door the user is standing next to.

This feature is also integrated with the glance of the Usher app for the Apple Watch. When a user

swipes up from the bottom of their Apple Watch, the glance searches for iBeacons associated with

physical entries nearby and displays them to the user for access.

Furthermore, iBeacons and Usher can be configured to automatically unlock doors when a user

reaches a certain distance from the door. This delivers maximum convenience, as a user can leave

their phone in-pocket.

usher.com 34


Method 5: NFC chips

Near Field Communication (NFC) chips are similar to Bluetooth chips and allow the sharing of small

payloads of data. Most Android devices have NFC chips located somewhere on the device. When

Usher-configured NFC chips are deployed throughout an enterprise environment, Android device

end-users can take advantage of NFC for convenience. Users simply need to place the spot of their

device where the NFC chip is located against the shown sticker located near the door. The location

of the NFC chip is different depending on the Android device. The Usher client does not have to be

open, but must be running in the background of your device. For the majority of devices, the NFC

chip is located near the camera, but some trial and error may be needed for your particular device.

Tap Here to open

NFC

Behavioral-based conditions/fencing

Network administrators can set restrictions for how Usher badges are used, based on time and geo-

location for better control and security over network resources.

In other words, any resource (logical or physical) can be gated so that access is only possible during

certain hours or in certain geographic locations.

usher.com 35


Additionally, administrators can set up Usher to require fingerprint verification every time a person

uses it, or before accessing specific resources. This is significantly more convenient than typing

in a password, and prevents unauthorized use of the Usher badge by providing an additional

authentication factor for highly secure situations. Since only certain types of smartphones contain

fingerprint readers, a passcode alternative is available for devices lacking this feature.

Extension to Apple Watch

Usher for Apple Watch turns Apple’s most personal device into the key that unlocks the enterprise,

both logically and physically. It’s a new take on enterprise security that combines the powerful

security capabilities required by modern organizations with the simplicity of a consumer WatchKit

app. The iPhone and Apple Watch work in concert and are contextually aware of the systems,

hardware, and entryways that users approach. Users receive push notifications on their Apple

Watch, prompting them to unlock their workstation, log into a system, or open a doorway, and

they can do so with a tap or gesture. In addition, the WatchKit app boasts a digital keychain which

synchronizes with the digital keychain in the Usher app on its owner’s smartphone that is paired

with it. A user can also use Apple Watch Force Touch to switch between badges and access the

dynamic 4-digit Usher codes associated with various badges for multi-factor authentication (e.g.,

into a VPN) or identity verification. The glance feature of the WatchKit app mirrors the Usher Nearby

widget on the phone; it searches for the nearest iBeacon and lets an authorized user unlock any

door they are standing in front of.

usher.com 36


Chapter 5:Workforce productivity with Usher Professional

With Usher Professional, a mobile application available on both smartphone

and tablet, managers gain access to personalized and localized intelligence

about resource utilization, transaction authorization, and all other activity

being performed by their subordinates in the enterprise context. It is

especially applicable to teams where employees are in the field.

usher.com 37


Discovery views

There are three discovery views for Usher Professional: grid, list, and map view. By tapping on each

individual team member, a manager can contact a team member directly or be kept informed of their

recent enterprise access activity with usage data collected from their Usher Security application.

usher.com 38


User profile

Tapping on a user brings up their user profile. The first tab of the user profile shows trend lines for their

usage of both physical gateways and logical resources. The second tab is a bar graph of the locations

the user performed Usher actions from, as well as how many actions were performed at each location.

The third tab maps out the locations the resources were accessed from. Tapping on each location

provides a scrollable log of actions taken at the location.

From within the Usher Professional interface, a manager can directly initiate an email to a subordinate

if the manager notices unusual items or patterns in the access history. For added insight, Usher

Professional can integrate individual access data with other types of individual data (e.g., HR

information) that is stored in analytics projects, such as those created in MicroStrategy Analytics.

usher.com 39


Search capabilities and saved groups

In Usher Professional, a manager can filter, search, and create groups. Usher Professional can be

calibrated to display users in the immediate vicinity, users within 300 feet, users within five miles, or

all users in your badge network. A manager can save a group discovered by using any of these filter

options, and check up on members of that particular group later. For example, a manager may wish

to bookmark anyone who attended a particular planning meeting.

To help with sorting through every user in a particular network, a manager can search based on

name or title keyword, and save groups based on this. An example would be everyone who has

“associate” in his or her title. Groups that are saved from the search functionality can be edited to

clean out irrelevant search results (e.g., if the previous associate search was for intended to find

junior-level employees, but also included a couple associate vice presidents in the results.) Usher

Professional can be customized with more detailed user profiles for searches. The flexibility to add

fields such as skills or certifications enables managers to more efficiently utilize the human capital

theoretically at their disposal. Additionally, a manager can create and save a group of employees

based on geo-location in the map view by creating a circle of a certain radius from a point or

by using a freeform selection tool. After creating and saving a group, a manager can also send

communications to the entire group as they would to an individual.

usher.com 40


Chapter 6:Intelligence and reporting with Usher Analytics

Built on the industry-leading MicroStrategy Analytics Platform, Usher Analytics

captures, analyzes, and displays visualizations of all Usher activity, providing both

global visibility of users and an audit trail for governance, risk management, and

cyber security oversight. It also provides proactive alerts when abnormal activity is

detected or when thresholds are exceeded, and delivers a full spectrum of analytic

capabilities, from simple time analysis to sophisticated correlations and data mining.

Whenever an action is taken on an Usher Security client, the action is passed

to the Usher server log and then to Usher Analytics, where it is stored in

a MySQL database. If the Usher server is installed on-premise, a customer

has flexibility in storing these action logs in a variety of ways.

Usher Analytics provides complete visibility of all identity actions across a network

in near real time, enabling state-of-the-art risk management, cyber security, and

auditability to provide actionable insights at all times. For example, immediate

detection of abnormal activities and irregular patterns (such as afterhours

access), outlier behavior, or users who seem to be in two places at once.

As an offering, Usher Analytics comes out-of-the-box with a set of pre-built

MicroStrategy Analytics schema and objects, such as reports, dashboards,

metrics, and filters. However, organizations also have the flexibility to

upload their own data to the project for additional analysis.

The current Usher Analytics solution, hosted in our cloud environment,

utilizes the latest innovations in in-memory architecture to enable

world-leading data warehousing options for massive datasets shown

against traditional online analytical processing (OLAP) services.

usher.com 41


Interface

Our main dashboard, accessible from the network manager site, contains information about the

users, resources, and transactions of the viewer’s networks.

The second section of this dashboard presents an overview of members’ activities and will allow you

to see which users are most active, access the most resources, and initiate the most connections.

usher.com 42


If location services are enabled on the user’s device, a pair of location coordinates will be recorded

for each transaction that they initiate. You can, at a glance, see the last known location of each

member on your network.

Usher Analytics will also provide the administrators the functionality to categorize their most used

resources, or rank and sort which resources are susceptible to failure, as shown below:

usher.com 43


If an Usher network administrator wanted to dive deeper into an individual Usher user’s behavior or

transactions, there is a convenient view of the data for auditing. The view below provides a summary of

usage, resource distribution of that user, and the segmentation of where actions are being performed.

Transaction logs

The Transaction log is a summary of all Usher network actions. It comes with a robust filter panel,

and gives you have the power to drill-down and filter into specific activity types, timeframes, or set

of actions for full compliance and auditing.

usher.com 44


Pre-built dashboards

These are the current out-of-the-box Usher Analytics dashboards as accessible from the web in

network manager:

Network panel – provides an overview of the network as a whole.

User panel – lists all users and provides trends and metrics around their usage.

usher.com 45


Gateway panel – lists all gateways and provides trends and metrics around its usage.

The gateway panel is divided into the analysis of physical and logical gateways.

usher.com 46


Chapter 7:Usher serverThe nerve center of the platform, the Usher server is a scalable, high-performance

server that can host one or many Usher networks. It can be installed on-

premise, or used in Amazon’s secure cloud as multi-tenant or single tenant.

The Usher server is a Java web application built using the Play Framework,

which follows the model-view-controller (MVC) architectural pattern. The

server runs on an Apache Tomcat web server and utilizes a MySQL database.

The operating system needed for the Usher server is Red Hat Linux. The

Usher server has also been tested on CentOS and Windows; while the

server can be made to run on these platforms, these are not certified.

Play Framework

• Lightweight, stateless, MVC

• Built on Scala, Akka, Iteratee IO

• Highly scalable, asynchronous programming

• ORM support (EBean)

• In-memory DB support

• Easy to build (sbt) and deploy (built in Netty, supports other

application servers)

usher.com 47


Server architecture

USHER SERVER

DIRECTORYGATEWAYS

LOGICALGATEWAYS

PHYSICALGATEWAYS

Server components

IDM kernel

IDENTITYMANAGEMENT

NETWORK(ORGANIZATION)MANAGEMENT

RESOURCEMANAGEMENT

LOGICAL ACCESSSUPPORT

USHERSERVICE

(Biometric etc.)

IDM common library and tools

Common library and tools

The Usher server provides generic components, tools, and applications to the platform:

Server common interface (common-interface project)

Server general library (common-library project)• SAML

• PKI

• Other utilities, including HttpClient

Server common modules (common project)• Multiple-language message support

• License support

• Mail support

• OAuth

• Security

• General configuration support

IDM common classes (common project)• UsherModel

• UsherController

• SQLOperator

Log, LogSDK and LogServer (common project, LogServer)• Cache SDK

usher.com 48


Server deployment

The Usher server is built and deployed using the RPM Package Manager. RPM packages can be

built automatically and contain all WAR files and database changes for the server. The deployment

process is also automated, which un-packages the RPM build, deploys the WAR files to the correct

Tomcat instances, and executes any DB changes.

Deployment architectures

Usher can be deployed across a variety of deployment architectures. The deployment architectures

that are possible are:

Secure Cloud deploymentMulti-tenant - with or without Active Directory Site Agent

Single-tenant - with or without Active Directory Site AgentOn-premise

Secure Cloud

Usher uses Amazon Web Services for hosting our multi-tenant or single-tenant Secure Cloud Usher

servers. Our cloud team will work with you to size an environment specific to your enterprise

requirements. Secure Cloud is monitored, managed, and maintained by experts.

Certifications and controls

Usher cloud environments are designed to ensure compliance with the most strict security

frameworks. Our personnel are highly trained on the infrastructure, process, methodologies,

and applications.

1. Vulnerability and penetration testing

2. 24x7 monitoring and alerts

3. SOC 2 Type II, PCI, HIPAA, Safe Harbor

FIDO certification

The FIDO (Fast IDentity Online) Alliance, a coalition of vendors that includes Microsoft, Google,

Intel, Lenovo, RSA, Samsung, Qualcomm and various credit card companies, has developed open

specifications for stronger, more secure authentication.

usher.com 49


FIDO’s specifications were also developed to address the lack of interoperability among

strong authentication technologies and to remedy the problems users face with creating and

remembering multiple usernames and passwords. The FIDO Alliance is changing the nature

of authentication with standards for simpler and stronger authentication that define an open,

scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication

is stronger, more private, and easier to use when authenticating to online services.

FIDO certification is performed using a set of test tools developed by the FIDO Alliance, followed

by participation in a proctored interoperability event. Usher has passed a rigorous series of

tests that measure compliance with the FIDO Universal Authentication Framework (UAF) and

ensure interoperability with other FIDO certified products and services that support FIDO 1.0

specifications, thus achieving FIDO certification.

Systems

Our environments are architected using best practices to ensure high availability and redundancy.

Systems are backed up every night so we can recover in case of unforeseen events.

1. 99.9% SLA

2. Highly redundant

3. Disaster recovery – metadata and virtual machines are backed up every day

4. High availability

Current server environment (multi-tenant)

Hardware load balancing and firewall*Paired load balancers in an active/passive configuration

Mirror/Staging servers

Webserver 1(10,20,127,22)

Webserver 2(10,20,127,23)

Database master(10,20,120,10)

Database replica(10,20,127,14)

Test servers

Webserver 1(10,20,125,24)

Webserver 2(10,20,127,24)



Development servers

Webserver 1(10,26,243,1)

Webserver 2(10,26,243,52)



EA/Perf testing servers

Webserver 1(10,20,121,25)

Webserver 2(10,20,123,19)


UAT servers

Webserver 1(10,20,109,13)

Webserver 2(10,20,109,26)


MPT servers

Webserver 1(10,27,21,113)


usher.com 50


Operations

For SaaS-based implementations of Usher, all management of Usher services are performed

by the MicroStrategy Operations team. For single-tenant Secure Cloud deployments of Usher,

most day-to-day operational functions will be handled through the web based administrative

interface. System and database accounts, which provide superuser-level access to the underlying

OS and database are configured via the administrative interface and can be used to access these

components directly should that level of access be warranted. Any access of the underlying

OS or database should be done with coordination of Usher support staff as changes to these

components may render the Usher service inoperable.

Technology

The environment’s architecture is designed for high availability, so no guesswork or tuning is

required from the customer since the environments are built and managed by our experts.

1. 64-bit architecture

2. Massive, high-speed networks

3. State-of-the-art computing platforms

Monitoring

For SaaS-based implementations of Usher, the MicroStrategy Operations team manages all Usher

services. For Secure Cloud deployments of Usher, the virtual appliance provided by MicroStrategy

exposes an SNMPv3 (Simple Network Monitoring Protocol version 3) interface, which will allow

for monitoring of both the underlying Linux server health, as well as the Usher application

components. Configuration of the SNMP service is managed via the virtual appliance’s web-based

administrative interface. The administration of this service allows for specifying a password and

access list to secure SNMP communications as well as a SNMP trap destination that will receive

alerts from the appliance.

Maintenance

For SaaS-based implementations of Usher, all management of Usher services are performed by the

MicroStrategy Operations team, with all performance and operational metrics exposed via Usher

network manager. Secure Cloud deployment of the Usher platform uses a Linux-based virtual

appliance provided by MicroStrategy. The virtual appliance provides standards based monitoring

end points that allow for the direct integration of Usher monitoring into existing Secure Cloud

monitoring solutions. For Secure Cloud deployments of Usher, all maintenance functions are

usher.com 51


handled by a web based administrative interface. The system routines managed via this interface

are the following:

• Log management: allowing for downloading of system logs as well as

specifying a remote host to receive syslog based log messages

• Patch management: MicroStrategy provides monthly system

update bundles, which can be uploaded and applied

• User management: manage the system and database level account and passwords

• Support service configuration: manage the addresses of the outside services required

to support Usher—mail relay server; NTP server (Network Time Protocol) (NTP

optional if the appliance’s system clock is synchronized to the Hypervisor’s clock

which is synchronized to a stratum-2 time server); SNMP service configuration

• Certificate management: manage system certificates

• Usher service management: start and stop all components of the Usher Platform

Security operations

Security operations for Usher are closely tied to security architecture principles. Our security

operations model reflects both security architecture designs as well as required compliance

standards certifications (see Section 4.9). We apply our knowledge of security best practices, and

have followed a plan that includes our Security Operations team as stakeholders in the security

architecture review process, as well as during compliance decision points.

The Security Operations team conducts regular security tasks on the Usher servers and network,

including, but not limited to vulnerability management, patch management and mitigations, incident

response, internal vulnerability assessments and red teaming, and event logging and analysis.

It should be noted that we maintain a physical and logical separation between the security

operations enclave and the rest of the corporate and customer-facing network domains. The

security devices that conduct vulnerability scans, logging, and malware detection are kept in a

physically isolated cage in a data center, and can only be accessed by members of the Security

Operations team.

Vulnerability management

It is critical to conduct regular intervals of vulnerability management on all hosts within the

Usher network domain. Vulnerability management programs focus on both short and long-term

vulnerability mitigation strategies for recently discovered vulnerabilities as well as ongoing patch

verification efforts. The Security Operations team works closely with IT Operations to ensure

that the reference system is as up-to-date on patches as possible, and assists in helping the IT

Operations staff understand the impact of the system patch.

usher.com 52


Besides IT Operations, the Security Operations staff assists with verifying that software fixes have been

applied. For example, if a third party security assessment team recommends that the Usher server be

configured with a particular security setting, the Usher server can enable the setting, and coordinate

with the Security Operations team to scan the systems to ensure that the setting is enabled.

Event logging and auditing

In security operations, it is imperative to maintain event logs for auditing purposes. We use a

Security Information and Event Management Tool (SIEM) to collect, aggregate, filter, store, triage,

correlate, and display security-relevant data, both in real time and for historical review and analysis.

The SIEM allows us to take large amounts of disparate data and turn it into possibly relevant

security-related events that can be further correlated into an incident, which is what we can take

action on.

usher.com 53


Chapter 8:Custom implementation (SDKs)

The key vision of the Usher SDK is to enable third-parties to seamlessly incorporate

key components of identity management, access, and authentication - mobile,

web, server, and intelligence - into their applications to enable custom use

cases that are pertinent to their customers and business partners.

The Usher platform is being continually built with the intent of easily integrating

with existing and future infrastructure and software. For each possible integration

point, a Software Development Kit (SDK) including an API, documentation,

tutorial, and sample code (or complete sample projects) is available. The diagram

below is a high-level global view of the various Usher SDK components:

MOBILE APP WEB APP DESKTOP APP SERVER SIDE APP

USHER SERVER API USHER ADMIN APIUSHER DATA SERVICES API

USHER SERVER INFRASTRUCTURE

DIRECTORY SERVICES TRANSACTION SERVICESPACS SERVICES

Cloud/Customer premiseDIRECTORY SERVICES

TRANSACTION SERVICES

PACS SERVICES

USHER REST APIS

CLIENT SIDE APIS

USHER REST APIS

SERVER SIDE REST APIS

Usher mobile API for mobile apps Usher web API for web apps Usher admin API for desktop appsUsher admin API for desktop apps

SDK DOCUMENTATION:

SAMPLE CODE PROJECT:

LIBRARY/CLIENT:

usher.com 54


APIs and other necessary elements are set up and maintained through the Usher network

management web console. Specifically, the console allows app developers to:

• Register their application and retrieve their Usher API license keys

• Configure the third-party-server-to-Usher-server trust elements

• Monitor their Usher API usage

• Manage the application to Usher network permissions

The following sections will detail different SDK packages:

• Usher Professional app workflow

• Usher server-side SDK

• RESTful API

• PACS API

Visit https://developer.usher.com/ to view reference resources. This website helps

third-party developers easily integrate Usher into their desktop, web, mobile, or server

applications. The resources are organized by platform (iOS vs. Android vs. Java) as

well as by the type of application being integrated (web vs. mobile vs server).

Mobile SDK workflows

Often, a customer is interested in using the Usher platform for authenticating into their existing

mobile applications, but is also uninterested in the inconvenience and login workflow that goes

along with downloading an additional app (Usher). The following scenarios enable a customer to

leverage the Usher platform in existing mobile apps for stronger authentication:

• Usher as mobile app authentication mechanism (directly via app)

• Usher as a mobile app authentication mechanism (via authentication app)

• Usher as enterprise SSO

• Usher as step-up authentication provider

• Usher as a peer-to-peer authentication provider

usher.com 55


Usher as a mobile app authentication mechanism

Directly via app

USHER

ACME CORPORATION MOBILE APP

Usher mobile API for mobile apps

Usher user token

1. User is authenticated with Usher network from mobile app using credentials and/or biometrics

2. Mobile app can now leverage Usher functionality like Usher stamp scanning, Usher code, peer-

to-peer verification, etc

For SAML-based mobile apps

Detailed authentication workflow:

USHER

ACME CORP. AUTHENTICATION APP


Usher user token1.

Usher service-side API

ACME CORP. BACKEND

6.

3.9.

ACME CORP. MOBILE APP


Acme Corporation backend

2. 4. 8. 10.

5.7.

1. User was previously authenticated to Usher network from mobile app

2. Acme Corp. mobile app is launched and request session with Acme Corp. backend

3. Acme Corp. backend requests resource session validation from Usher platform

4. Acme Corp. backend sends resource session ID along with local session ID to Acme Corp mobile app

5. Acme Corp. mobile app invokes Acme Corp. mobile authentication app for resource session ID

6. Acme Corp. mobile app validates the access of resource session

7. Acme Corp. mobile app invokes Acme Corp. mobile app

8. Acme Corp. mobile app requests status for local session ID

9. Acme Corp. backend retrieves user identity from Usher platform for resource session

10. Acme Corp. backend sends confirmation (and user information) that local session is now active

for the user

Note: this workflow is very similar to the workflow that would allow a user to authenticate with an

enterprise web application.

1.

usher.com 56


Usher as an enterprise SSO provider

USHER



Usher user token

Usher service-side API

ACME CORP. BACKEND3.

1.

Acme Corporation backend API

2.

A simplified workflow can be described:

1. User is authenticated to Usher network from mobile app and acquires Usher token

2. Mobile app forwards token to customer backend

3. Customer backend confirms that the Usher user token is valid and corresponds to the user by

calling the network API before performing further action

Usher as a step-up authorization provider

USHER



Usher user token

ACME CORP. BACKEND2.

4.

Acme Corporation backend API

1.

In the case of Usher as a step-up authorization provider, a high-level workflow can be described as:

1. Acme Corp. authenticates mobile app user

2. Acme Corp. grants mobile app user access to Usher network (trusted relationship)

3. Acme Corp. sends badge retrieval information to mobile app

4. Mobile app retrieves badge and Usher user token and can leverage Usher functionality,

which includes biometrics and/or Usher code

5. Acme Corp. will validate Usher user token with Usher network as well as a second factor, which

may be the user’s Usher code or biometrics).

3.

5.

usher.com 57


Usher as peer-to-peer authentication provider

USHER



Usher user 1 token

1.



Usher user 2 token

1.

3.2.

1. The mobile user is authenticated with Usher

2. Mobile app discovers users in the vicinity (optional)

3. Mobile app authenticates other mobile app user (using Usher stamp or Usher code)

Mobile SDK

There are two Usher mobile SDKs: one for the Apple iOS platform (iOS 7 and later) and one for the

Android platform (Android 4.0 and later).

Each Usher mobile SDK is composed of:

• Platform specific API libraries (iOS Framework and JAR libraries for Android)

• Usher mobile API documentation

• Tutorials describing the typical use cases and basic concept of the Usher mobile API

• Sample code/projects for each typical use case:

• Usher as an enterprise SSO provider

• Usher as a secondary factor for authentication

• Usher as a step-up authentication provider

• Scanning an Usher Stamp (e.g. QR code) to gain access to a logical resource

• Peer-to-peer authentication/verification

Server-Side SDK

The Usher server-side SDK is geared toward enabling backend application developers to easily

integrate with the Usher platform. Establishing a trusted connectivity setup between Usher and the

third-party application requires an advanced level of knowledge of important security concepts.

Any error in this setup could lead to a less-than-secure setup and/or unstable configuration.

The Usher server-side SDK encapsulates best practices steps and ensures they meet the Usher

deployment guidelines.

usher.com 58


In most use cases, the mobile backend will need to interact with the Usher platform backend

servers. For example:

• Initiate a resource access workflow using an Usher stamp

• Initiate a trusted third-party-server-to-Usher-server session to perform actions on behalf of the user

• Initiate a trusted third-party-server-to-Usher-server session to provision a new Usher account

• Validate Usher user identity using an Usher code

While most of these tasks would be trivial to achieve by leveraging the Usher platform API, it is

much faster and less-error prone to leverage the Usher server-side SDK.

Platform RESTful API

The Usher platform API is a RESTful endpoint structure that the Usher server exposes. These APIs

provide programmatic access to Usher data and are utilized by different components of the

platform such as the Usher mobile client, network manager, etc., to carry out transactions. Request

and response payloads are formatted as JSON and use standard HTTP methods like GET, PUT, POST,

and DELETE.

Physical Access Control System API

The Usher platform supports native connectivity to a large number of physical access control

systems (PACS): Lenel, S2, Honeywell etc. In the event a customer’s system is not amongst those

Usher connects to out-of-the-box or requires additional flexibility, the Usher platform can be

extended using the Usher PACS Web Service API facility.

Functionality supported with a custom PACS agent connectivity:

• Retrieve keys/resources available to a specific user

• Activate a key/resource (e.g. “Open South-East lobby door in HQ building

• Encryption of the communication channel (HTTP over SSL)

Below is a diagram illustrating how a custom PACS agent can be implemented allowing the Usher

platform to interface with your PACS system. The Usher PACS agent web service API used for

implementation included in the Appendix.

USHER CLOUD

Usher serversUsher network management web console

CUSTOMER PREMISEWeb service application server

Custom web service

Usher PACS web

service API

Physical access control system

interface

Physical access control system

usher.com 59


Chapter 9:Deployment scenarios

Higher education institution

Federal government

International airport

Financial services institution

usher.com 60


Higher education institution

Overview

Higher education institutions today have multiple concerns on a day-to-day basis. Safety for the

student body as well as faculty and staff is extremely important, and running a successful educational

institution requires the administration to focus first and foremost on security. Physical security, as well

as cyber security, is a high focus for these institutions, which is why most turn to different physical and

cyber security solutions. However, the available solutions today focus only on one area of security,

which is why one of the nation’s most elite private universities turned to Usher for a consolidated,

intelligent, and comprehensive security solution that would be easy for students to use.

The problem with the student ID card

University students today are constantly in communication with one another and are always up-

to-date on the latest technology. Therefore, universities are always striving to provide valuable and

useful services to students that can be consumed on mobile devices. That’s why, with the rise of

today’s major security issues–both physical and cyber–and the critical understanding of universities

to protect students and their data, one university decided a better solution was necessary.

Used by students around campus, Usher provides a consolidated means of access and

identification. Universities have long relied on plastic physical ID cards so students can gain access

to buildings, events, or even make purchases with the ID card. And in an emergency situation,

these ID cards establish a student’s identity and prove he is a member of the university community.

With modern physical access control systems, these ID cards often serve as a proximity-based key,

with the ability to unlock doors at buildings around campus. Students can present their ID cards

to gain tickets for special events or sporting events on campus. And, ID cards also serve as a debit

card, with payment processing capabilities (on either a debit account or credit account). Thus, the

ID card serves as the center of a student’s on-campus world.

Envisioning a mobile solution

As with all physical objects that we use in our daily lives, problems arise when the ID card is lost,

stolen, or counterfeited. On a university campus, a student ID card in the hands of the wrong

person can be a major security issue, giving the unauthorized user access to buildings, events,

and even payments. And physical cards don’t provide any form of intelligence or analytics, since

showing an ID card to a university official can’t be tracked. With no insight, security threats can’t be

monitored, and security issues take longer to be addressed by the campus security officials.

usher.com 61


With Usher, one of the nation’s elite universities can now offer students a mobile app that

consolidates the use of the ID card, as well as web application access. This university has deployed

Usher, including the following use cases:

• Mobile student ID cards to 4,000 students

• Logical access to 100+ web applications (integration with Shibboleth)

• Mobile payments in the food court, dining hall, bookstore, and campus printers

• Physical access to campus buildings

• Event ticketing

With almost 90% of today’s university students in possession of a smartphone, a mobile app that

integrates physical access, web and application access, ID card management, and mobile payments

is a solution that all students are excited to use.

Additionally, Usher requires no new infrastructure investments, so the university chose Usher as the

solution since there were no additional costs involved with deploying the solution.

And finally, with Usher Analytics, IT departments, network administrators, and campus security

can have full insight into student movement and activity on campus. Every Usher action

performed by students is logged and can be reviewed in real life or after the action, so security

and administrative teams can know exactly what is happening on campus at all times. Security

threats can be monitored, and security issues can be followed up-to-the-minute, so in the event

of a real emergency, campus security officials know exactly where the problem is and can respond

faster. This gives university officials peace of mind that security, both physical and logical, is being

monitored and any issues can be solved faster than ever.

Just the beginning of the mobile movement

With Usher, university officials know they are offering students a valuable solution, and

administrators know they have the best insight into campus activity at all times. With Usher, the

university reduces costs dramatically, eliminating the need to print and manage student ID cards,

distribute and manage physical keys for building access, and manage and reset usernames and

passwords. Thus, Usher provided the comprehensive security solution this university needed.

usher.com 62


Federal government

Overview

The federal government operates across a wide variety of agencies and industries, all of which

are vital to the operation of the country. In particular, the network of first responders ensures that

emergency situations are attended to and resolved. Often, first responders arrive on a scene in

complete chaos – and the larger the emergency, the more disorganization it is. First responders

today have no way to quickly and easily identify one another, and responders from different units

have no way to communicate while on the scene. These issues are why one of the largest global

security and defense technology companies for the federal government turned to Usher for a

solution for first responders in the field.

A nationwide mobile network

Creating a network for all first responders that allowed for identity verification and communication

was the most important task for improving the emergency response network. In the world of

technology today, using mobile devices is a necessity for connecting groups of first responders and

allowing them to communicate easily. And for administrators, it is equally important to be able to

quickly locate all responders on duty, dispatch those responders to emergencies, stay in contact

with them, and create groups on the fly so they can quickly identify one another. Without these

capabilities, responders aren’t able to react to and resolve emergencies.

Envisioning a mobile solution

Usher is the exclusive partner of the largest defense technology company in delivering a

nationwide mobile network for the federal government to support all first responders. The federal

government will provide Usher on smartphones and tablets with a secure mobile badge as well as

a dedicated network. Usher is used to provide the following for first responders and administrators:

• Biometric login for shared devices

• Identity verification

• Workforce management via communication channels such as push-to-talk, text, phone, and email

• On-the-fly group creation

• Analytics with live tracking capabilities for responders in the field

With this mobile solution, first responders will be able to easily identify and communicate with

one another, so response teams are able to focus fully on addressing emergency situations.

Administrators will be able to better coordinate emergency response, and the emergency

situations will be safer for everyone involved.

usher.com 63


International airport

Overview

Large international airports operate on the same size and scale of many major American cities, with

daily operations across many different industries and professions. And for every airport, security is a

top concern–ensuring that everyone coming and going, including both employees and passengers,

is confirmed via identification documents such as a driver’s license, passport, or employee ID badge.

Often, airports have additional facilities that require another identification check. Securing the

airport facilities is an issue on the national and international level, which is why one of the largest

international airports turned to Usher for a solution that would help ensure security within its facilities

as well as to offer the most enjoyable and convenient experience to travelers.

Security and customer rewards on a mobile device

When one of the largest international airports turned to Usher to improve their security solution,

they were looking for a mobile solution that would appeal to today’s generation of travelers

and employees. For internal use, multiple systems, applications, and physical locations required

employees to use various inconvenient and outdated methods of authentication. Additionally, the

airport wanted to provide a way to identify and reward VIP customers (frequent travelers). Currently,

there is only one solution in the marketplace that addresses both of these needs in one mobile app.

Envisioning a mobile security solution

With Usher, the international airport is able to offer employees a mobile security solution that

consolidates multiple security systems into one mobile app that can be used around the facilities.

They also envisioned being able to offer a mobile VIP card for frequent travelers, making the airport

experience even more enjoyable. This airport has deployed Usher, including the following use cases:

• Check-in/check-out system and reporting for 100 users across multiple business units

(employees get paid for using the gym on a regular basis and are tracked accordingly)

• Salesforce.com login

• MicroStrategy Web login

• Mac unlock via Bluetooth

• Physical access for new administration facility

• Airport ID for employees, partners, and vendors

• Usher-driven VIP card for frequent airport travelers

usher.com 64



As the mobile revolution continues to spread, all industries will continue to look for more

innovative and secure ways to provide identity verification, physical access, and logical access

that is combined in one application. Usher unlocks these possibilities for international airports,

and allows airports to offer passengers unprecedented security and convenience, all at their

fingertips. And for employees, consolidated access to web and mobile applications, physical

locations and facilities, as well as a convenient identification method, brings in a new standard of

security and convenience.

Financial services institution

Overview

Financial services institutions deal with some of the highest risk transactions, managing billions

of dollars in transactions, investments, and accounts. Every transaction that occurs requires the

approval of the individual account holder, and the approval process relies on outdated methods of

security and authentication, including passwords and security questions, that are easily guessed or

found online. Additionally, employees handle and transfer large amounts of cash, which they pass

on to other bank employees, requiring employees to be able to identify one another. This is why

one of the largest financial services institutions turned to Usher for secure identity verification and

multi-factor authentication for employee access to highly-secure bank and customer data.

The need for a long-term security solution

The sheer amount of money controlled by financial services institutions requires the highest-level

of security. Additionally, when a customer reports fraud, the financial institution ends up footing

the bill, costing the institution tens of millions of dollars every year. With so many security issues,

financial services institutions are beginning to understand the need for a comprehensive security

solution that provides identity verification, multi-factor authentication, system and application

access, and security analytics. However, these institutions also understand that convenience is an

important factor, and want a solution that will provide security without sacrificing convenience.

usher.com 65


Envisioning a mobile security solution

With Usher, financial services institutions can replace outdated methods of authentication and

identification, ensuring high-risk transactions are properly authorized. This financial services

institution has deployed Usher, including the following use cases:

• Workstation login

• System and application access

• Biometric verification for physical access

• Analytics for monitoring access

• Identity verification for bank employees

Bank employees use Usher to log into their workstations and access bank and customer data in a way

that is multi-factor and does not expose their credentials to key-logging viruses. Before they unlock a

vault or log into highly secure systems, they can conveniently use Touch ID for biometric verification.

Administrators are given access-monitoring tools, eliminating security threats caused by

unauthorized access. If an administrator notices an off-duty employee trying to access a system

containing valuable information or assets, the administrator can instantly revoke the employee’s

access. Administrators can quickly grant and revoke security privileges remotely, eliminating the

security risk of lost or stolen hardware (badges, keys, fobs, passwords).

Individuals working for the bank can identify each other either in person or over the phone–

eliminating the long list of security questions or relying on ID cards that can be counterfeited–by

asking for their four-digit Usher code that changes every minute. The bank distributes this solution

to all of their cash-in-transit teams for employee-to-employee validation.

The safety, security, and location of cash-in-transit teams is of paramount importance, and banking

security operations personnel are able to monitor the geographic location of these teams with the

solution as well.


Financial services institutions understand the value of both security and customer convenience. As

security continues to be a pressing issue for these institutions, they will look to solutions that can

solve all their issues, while providing valuable services to customers. Investments will continue to

grow in the security area, and mobile solutions will continue to dominate the list of necessities for

all financial services institutions.

usher.com 66


Chapter 10:System requirements

usher.com 67


Up-to-date documentation links

The user content (Documentation) teams cover system requirements as part of the MicroStrategy

Product Help. Making sure the content is accurate and up-to-date for every release is one of the biggest

challenges they have undertaken for the benefit of users. The content is readily available to customers.

• System requirements for go.usher.com are part of the Usher Help, available at

https://microstrategyhelp.atlassian.net/wiki/display/USHER/

• System requirements for an on-premises installation of Usher are part of the MicroStrategy

Readme for each release

• The MicroStrategy 10.1 Readme will be available after GA at

https://microstrategyhelp.atlassian.net/wiki/display/README101, as well as on the

MicroStrategy download site, and in the installer.

Recommended production configuration

The following distributed architecture is suggested for production, fault tolerant Usher instances to

support high throughput. For best performance, it is necessary to provide multiple application servers.

Software specifications and minimum hardware specifications are included in this document.

NETWORK

F5

F5

TOMCAT SERVERSwww-1 www-2

Physical Access Control (PAC)

Usher web service

IDM IDM

Active directory

Site agent

GW GW

MYSQL DB SERVERSMaster Replica

1

2

In this diagram, there is a load balancing appliance (labeled “Network”), and the following servers:

• Two (2) Tomcat Servers for hosting Usher security. Both nodes are online and have their load

distributed by the load balancer

• Three (3) MySQL DB servers – one master and two replicas for backup. The master is online and

the replicas are offline, but can be brought online in case of failure on the master

• One (1) server to host the Active Directory site agent

• One (1) server to host the PAC web service if PACS is included in the enterprise deployment

The MicroStrategy Analytics environment (for Usher Analytics and Usher Professional) is not

installed on any of these servers and is assumed to be running in a production configuration on

separate hardware.

Please note that the MicroStrategy 9.5 and 10 installer for Linux does not support distributed

installation at this time. Significantly more work is required to setup this architecture and involves

many manual steps. A services contract with the Usher Solutions Group at MicroStrategy or

through a certified partner is strongly recommended.

usher.com 68


Development and pilot configuration

The following architectures are suggested for non-production instances that could be used

for development and/or pilots. In this configuration, Usher security, Usher Analytics and Usher

Professional are installed on the same server using the MicroStrategy 9.5 or 10 installer for Linux.

The minimum specs for this server are four cores and 16GB RAM.

TOMCAT SERVERSwww-1

MySQLDB

Physical Access Control (PAC)

Usher web service

IDM

Active directory

Site agent

GW

In this diagram, there are the following servers:

• One (1) Server to host Tomcat and MySQL DB

• One (1) server to host the site agent

• One (1) server to host the PAC web service if PACS is included in the deployment.

Usher Professional and Analytics

Usher Professional and Usher Analytics add no further requirements than the installation of the

MicroStrategy intelligence server, MicroStrategy Mobile, and MicroStrategy Web. They are merely

an add-on option with little extra requirements impact. For production Usher implementations, it is

recommended that the intelligence server be deployed according to MicroStrategy Analytics best

practices and the metadata for Usher Professional and Usher Analytics be hosted according to the

recommendations. For development and/or pilot installations, everything can run on a single server.

usher.com 69


Usher physical gateways

For physical access systems, Usher leverages a special Usher REST based web service for

communication with the physical access system.

USHER SERVER

PACSWEB SERVICE

PACS

PANEL

iPAD MINIDOOR READER

(optional)

DOOR

READER

CUSTOMER DEPLOYMENT

Usher component

3rd party component

Network (WiFi) connection

Physical (h/w) connection

BLE/NFC connection

Usher-on-premise installation/configuration steps are online in Tech Note TN240567. The Usher installer

can be downloaded from the MicroStrategy download site at https://software.microstrategy.com.

Usher evaluation edition license keys

If you are evaluating Usher, the Usher Solutions Group will provide an evaluation key that is good

for 30 days. The key can be extended at the MicroStrategy’s discretion of MicroStrategy for up to

two (2) additional 30-day periods. Following the evaluation, all software must either be properly

licensed or uninstalled.

usher.com 70


1850 Towers Crescent Plaza | Tysons Corner, VA | 22182 | Copyright ©2015. All Rights Reserved. microstrategy.comCOLL-1430 0915

Documents

Usher: a comprehensive enterprise security guide · PDF fileUSHER – A COMPREHENSIVE ENTERPRISE SECURITY GUIDE ... A COMPREHENSIVE ENTERPRISE SECURITY GUIDE ... Locally on the mobile